Considerations for SSO Users

Considerations for users logged in to the system using SSO Identity Providers.

 

  • When integrating with SSO Identity Provider PAM expects integration with Active Directory that syncs with SSO IdP independently. PAM uses SSO IdP for authentication (including MFA) and login authorization (following SSO IdP rules). PAM uses AD to resolve group membership when permissions or workflow activities are granted to AD groups.
  •  

  • All proxies that allow users to connect using native clients authenticate using Active Directory and PAM managed MFA (TOTP, Duo, Radius or even PAM native one).
  •  

  • Some of the proxies (RDP, SQL but not SSH or WEB Sessions) require password hash stored in PAM. It is done automatically when users login to PAM directly. However, for SSO login when PAM does not know user passwords the only way to support this option is to let PAM to know the password (there is button Re-Enable RDP Proxy in the Properties of the user profile).
  •  

  • For pass-through access ($login in the user field) both proxy and WEB access pass the user password entered on the login form to the upstream endpoint. With SSO login, PAM does not know the user password so it cannot pass it through to the endpoint server. The solution is to Re-Enable RDP Proxy in the Properties of the user profile. When password is changed, it should be Re-Enabled again using the same strategy.